System Hardening
System Hardening
AppArmor
AppArmor is a layer of security that sits between applications and our system filesystem, proceeses and networks.
We can do profiles for the applications we wanna apply AppArmor on.
We can create profiles for firefox, kubernetes, kubelet etc...
Types of profiles
Main commands
Setup simple AppArmor profile for curl
We can run aa-genprof curl to generate a profile for curl, then we can check if its added by going to /etc/apparmor.d/ or running aa-status.
We can use aa-logprof which checks the logs and update our profil according to the logs.
Nginx docker container uses AppArmor profile
We can apply an apparmor profile definition using apparmor_parser --add <path-of-profile> and we got it from https://kubernetes.io/docs/tutorials/security/apparmor/.
We have a pre-created profile called docker-nginx so we will apply it, this profile restricts some stuff as shown below and we can confirm its added by running aa-status
Then to test our new profile we can create an nginx container that uses our profile docker run --security-opt apparmor=docker-nginx -d nginx and then docker exec -it <container-id> sh.
The name of the profile isn't the name of the file, but its the name specified inside the file.
Create pod which uses an AppArmor profile
https://kubernetes.io/docs/tutorials/security/apparmor/
Prior to v1.30, this was created using annotations.
Seccomp
Create nginx pod in kubernetes and assign a seccomp profile to it
https://kubernetes.io/docs/tutorials/security/seccomp/
We have a pre-created seccomp configuration, we will add it to /var/lib/kubelet/seccomp/profiles/default.json on the worker node.
Now, we create a pod and add the profile path.
We can exec and it works!
Now, we will remove write syscall from the seccomp default.json profile and see what happens.
Error: failed to start containerd task "seccomp-pod": OCI runtime start failed: cannot start an already running container: unknownIt is not working as the container can't write and create the nginx service!
Minimize OS Footprint
Running netstat -plnt | grep 22 or lsof -i :22 to check for ssh listening connections and open ports.
Last updated